More Android apps from dangerous Ztorg family sneak into Google Play

Almost 100 such apps, with >1 million downloads, found so far (but not by Google).

For the second time this month, Google has removed Android apps from its Google Play marketplace. Google did so after a security researcher found the apps contained code that laid the groundwork for attackers to take administrative “root” control of infected devices.

“Magic Browser,” as one app was called, was uploaded to Google’s official Android App bazaar on May 15 and gained more than 50,000 downloads by the time it was removed, Kaspersky Lab Senior Research Analyst Roman Unuchek said in a blog post published Tuesday. Magic Browser was disguised as a knock-off to the Chrome browser. The other app, “Noise Detector,” purported to measure the decibel level of sounds, and it had been downloaded more than 10,000 times. Both apps belong to a family of Android malware known as Ztorg, which has managed to sneak past Google’s automated malware checks almost 100 times since last September.

Most Ztorg apps are notable for their ability to use well-known exploits to root infected phones. This status allows the apps to have finer-grain control and makes them harder to be removed. Ztorg apps are also concerning for their large number of downloads. A Ztorg app known as Privacy Lock, for instance, received one million installations before Google removed it last month, while an infected Pokémon Go guide racked up 500,000 downloads before its removal in September.

Earlier this month, Google removed a game called colourblock after Kaspersky Lab’s Unuchek found it contained code dubbed DVmap that attempted to gain root. To evade detection by Google, DVmap developers initially uploaded a clean version of the game to Play and later updated it to add malicious functions. Unuchek has warned that the rooting processes used by malicious rooting apps can often harm the phones because the apps can overwrite crucial files and folders.

Magic Browser and Noise Detector didn’t actually root the phones, but the Ztorg digital fingerprints in both apps led Unuchek to theorize that the app developers were in the process of adding the capability to one or both of the apps gradually in an attempt to evade detection. In the meantime, the researcher said, the developers were using Magic Browser to either test or actively use malicious text-messaging functions. The app had the ability to send premium text messages to attacker-controlled numbers. To keep users in the dark, the app could also delete incoming texts and turn off the device sound.

“So I think that the authors are still testing this malware, because they use some techniques which can break the infected devices,” Unuchek wrote. “But they already have a lot of infected users on whom to test their methods. I hope that by uncovering this malware at such an early stage, we will be able to prevent a massive and dangerous attack when the attackers are ready to actively use their methods.”